Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 

interface (802.1X)

 

Syntax

Hierarchy Level

Release Information

Statement introduced in Junos OS Release 9.0 for the EX Series.

Statement introduced in Junos OS Release 9.3 for the MX Series.

server-reject-vlan introduced in Junos OS Release 9.3 for EX Series switches.

eapol-block introduced in Junos OS Release 11.2.

Statement introduced in Junos OS Release 14.1X53-D30 for the QFX Series.

authentication-order and redirect-url introduced in Junos OS Release 15.1R3.

server-fail-voip introduced in Junos OS Releases 14.1X53-D40 and 15.1R4 for EX and QFX Series switches.

ignore-port-bounce introduced in Junos OS Release 17.3R1.

multi-domain introduced in Junos OS Release 18.3R1.

Description

Configure IEEE 802.1X authentication for Port-Based Network Access Control for all interfaces or for specific interfaces.

Options

(all | [ interface-names ])Configure either a list of interface names or all interfaces for 802.1x authentication.
disableDisable 802.1X authentication on a specified interface or all interfaces.

Default: 802.1X authentication is disabled on all interfaces.

guest-bridge-domain guest-bridge-domain(MX Series only) Specify the bridge domain tag identifier or the name of the guest bridge domain to which an interface is moved when no 802.1X supplicants are connected on the interface. The bridge domain specified must already exist on the device.
guest-vlan (vlan-id | vlan-name(EX, QFX, and SRX Series only) Specify the VLAN tag identifier or the name of the guest VLAN to which an interface is moved when no 802.1X supplicants are connected on the interface. The VLAN specified must already exist on the device. Guest VLANs can be configured on devices that are using 802.1X authentication to provide limited access—typically only to the Internet—for corporate guests. A guest VLAN is not used for supplicants that send incorrect credentials. Those supplicants are directed to the server-reject VLAN instead.
ignore-port-bounceIgnore the port-bounce command contained in a Change of Authorization (CoA) request. CoA requests are RADIUS messages that are used to dynamically modify an authenticated user session already in progress. CoA requests are sent from the authentication, authorization, and accounting (AAA) server to the device, and are typically used to change the VLAN for the host based on device profiling. End devices such as printers do not have a mechanism to detect the VLAN change, so they do not renew the lease for their DHCP address in the new VLAN. The port-bounce command is used to force the end device to initiate DHCP re-negotiation by causing a link flap on the authenticated port.

Default: The port-bounce command is supported by default. If you do not configure the ignore-port-bounce statement, the device responds to a port-bounce command by flapping the link to re-initiate DHCP negotiation for the end device.

maximum-requests numberSpecify the maximum number of times an EAPoL request packet is retransmitted to the supplicant before the authentication session times out.

Range: 1 through 10

Default: 2

no-reauthentication | reauthentication secondsEither disable reauthentication or configure the number of seconds before the 802.1X authentication session times out and the client must reattempt authentication.
Note

If the authentication server sends an authentication session timeout to the client, this takes priority over the value configured locally using the reauthentication statement. The session timeout value is sent from the server to the client as an attribute of the RADIUS Access-Accept message.

Range: 1 through 4,294,967,296 seconds

Default: Reauthentication is enabled, with 3600 seconds until the client can attempt to authenticate again.

no-tagged-mac-authenticationDon’t allow a tagged MAC address for RADIUS authentication.
quiet-period secondsSpecify the number of seconds the interface remains in the wait state following a failed authentication attempt by a supplicant before reattempting authentication.

Range: 0 through 65,535 seconds

Default: 60 seconds

redirect-url redirect-urlSpecify a URL that redirects unauthenticated hosts to a central Web authentication (CWA) server. The CWA server provides a web portal where the user can enter a username and password. If these credentials are validated by the CWA server, the user is authenticated and is allowed access to the network.

The redirect URL for central Web authentication can be configured centrally on the AAA server or locally on the switch. Use the redirect-url statement to configure the redirect URL locally on the interface connecting the host to the switch.

The redirect URL and a dynamic firewall filter must both be present for the central Web authentication process to be triggered. For more information about configuring the redirect URL and the dynamic firewall filter for central Web authentication, see Configuring Central Web Authentication.

Note

When the dynamic firewall filter is configured using the special Filter-ID attribute JNPR_RSVD_FILTER_CWA, the CWA redirect URL must include the IP address of the AAA server, for example, https://10.10.10.10.

Syntax: The redirect URL must use the HTTP or HTTPS protocol and include an IP address or website name. The following are examples of valid redirect URL formats:

  • http://www.example.com

  • https://www.example.com

  • http://10.10.10.10

  • https://10.10.10.10

  • http://www.example.com/login.html

  • https://www.example.com/login.html

  • http://10.10.10.10/login.html

  • https://10.10.10.10/login.html

Default: Disabled. The redirect URL is not enabled for central Web authentication by default.

retries numberSpecify the number of times the device attempts to authenticate the port after an initial failure. When the limit is exceeded, the port waits to reattempt authentication for the number of seconds specified with the quiet-period option configured at the same hierarchy level.

Range: 1 through 10 retries

Default: 3 retries

server-fail (bridge-domain bridge-domain | deny | permit | use-cache | vlan-name vlan-name)Specify how end devices connected to a device are supported if the RADIUS authentication server becomes unavailable. Server fail fallback is triggered most often during reauthentication when the already configured and in-use RADIUS server becomes inaccessible. However, server fail fallback can also be triggered by a supplicant’s initial attempt at authentication through the RADIUS server.

You must specify an action that the device applies to end devices when the authentication servers are unavailable. The device can accept or deny access to supplicants or maintain the access already granted to supplicants before the RADIUS timeout occurred. You can also configure the switch to move the supplicants to a specific VLAN or bridge domain. The VLAN or bridge domain must already be configured on the device.

Note

The server-fail statement is specifically for data traffic. For VoIP-tagged traffic, use the server-fail-voip statement. The same interface can have a server-fail VLAN and a server-fail-voip VLAN configured.

Values: bridge-domain—(MX Series only) Move the supplicant on the interface to the bridge domain specified by this name or numeric identifier. This action is allowed only if it is the first supplicant connecting to an interface. If an authenticated supplicant is already connected, then the supplicant is not moved to the bridge domain and is not authenticated. The bridge domain must already be configured on the device.

deny—Force the supplicant authentication to fail. No traffic will flow through the interface.

permit—Force the supplicant authentication to succeed. Traffic will flow through the interface as if it were successfully authenticated by the RADIUS server.

use-cache—Force the supplicant authentication to succeed only if it was previously authenticated successfully. This action ensures that already authenticated supplicants are not affected.

vlan-name—(EX, QFX, or SRX Series only) Move the supplicant on the interface to the VLAN specified by this name or numeric identifier. This action is allowed only if it is the first supplicant connecting to the interface. If an authenticated supplicant is already connected, then the supplicant is not moved to the VLAN and is not authenticated. The VLAN must already be configured on the device.

Default: If the RADIUS authentication server becomes unavailable, the end device is not authenticated and is denied access to the network.

server-fail-voip (deny | permit | use-cache | vlan-name vlan-name)(EX, QFX Series only) Specify how VoIP clients sending voice traffic are supported if the RADIUS authentication server becomes unavailable. Server fail fallback is triggered most often during reauthentication when the already configured and in-use RADIUS server becomes inaccessible. However, server fail fallback can also be triggered by a VoIP client’s initial attempt at authentication through the RADIUS server.

You must specify an action that the switch applies to VoIP clients when the authentication servers are unavailable. The switch can accept or deny access to VoIP clients or maintain the access already granted to clients before the RADIUS timeout occurred. You can also configure the switch to move the VoIP clients to a specific VLAN. The VLAN must already be configured on the switch.

The server-fail-voip statement is specific to the VoIP-tagged traffic sent by clients. VoIP clients still require that the server-fail statement be configured for the un-tagged traffic that they generate. Therefore, when you configure the server-fail-voip statement you must also configure the server-fail statement.

Note

An option other than server-fail deny must be configured for server-fail-voip to successfully commit.

Values: deny—Force the VoIP client authentication to fail. No traffic will flow through the interface.

permit—Force the VoIP client authentication to succeed. Traffic will flow through the interface as if it were successfully authenticated by the RADIUS server.

use-cache—Force the VoIP client authentication to succeed only if it was previously authenticated successfully. This action ensures that already authenticated clients are not affected.

vlan-name—Move the VoIP client on the interface to the VLAN specified by this name or numeric identifier. This action is allowed only if it is the first VoIP client connecting to the interface. If an authenticated VoIP client is already connected, then the VoIP client is not moved to the VLAN and is not authenticated. The VLAN must already be configured on the switch.

Default: If a RADIUS authentication server becomes unavailable, a VoIP client that begins authentication by sending voice traffic is not authenticated, and the voice traffic is dropped.

server-timeout secondsSpecify the amount of time a port will wait for a reply when relaying a response from the supplicant to the authentication server before timing out and invoking the server-fail action.

Range: 1 through 60 seconds

Default: 30 seconds

supplicant (single | single-secure | multiple)Specify the MAC-based method used to authenticate clients.

Values: Specify one of the following:

  • single—Authenticates only the first client that connects to an authenticator port. All other clients connecting to the authenticator port after the first are permitted free access to the port without further authentication. If the first authenticated client logs out, all other supplicants are locked out until a client authenticates again.

  • single-secure—Authenticates only one client to connect to an authenticator port. The host must be directly connected to the switch.

  • multiple—Authenticates multiple clients individually on one authenticator port. You can configure the number of clients per port. If you also configure a maximum number of devices that can be connected to a port through port security settings, the lower of the configured values is used to determine the maximum number of clients allowed per port.

Default: single

supplicant-timeout secondsSpecify the number of seconds the port waits for a response when relaying a request from the authentication server to the supplicant before re-sending the request.

Range: 1 through 60 seconds

Default: 30 seconds

transmit-period secondsSpecify the number of seconds the port waits before retransmitting the initial EAPoL PDUs to the supplicant.

Range: 1 through 65,535 seconds

Default: 30 seconds

The remaining statements are explained separately. Search for a statement in CLI Explorer or click a linked statement in the Syntax section for details.

Required Privilege Level

routing—To view this statement in the configuration.

routing-control—To add this statement to the configuration.